Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Snapchat Settles With FTC Over Privacy and Security Concerns

Snapachat, the maker of the popular video and photo chat app, has agreed to settle charges by the Federal Trade Commission that the company misrepresented the supposedly ephemeral nature of the messages users send and failed to take adequate security precautions with the data it collects, leading to a data breach earlier this year that leaked information belonging to 4.6 million users.

The FTC settlement, announced Thursday, requires that the company refrain from misrepresenting the security and privacy of its app and will be required to put in place a privacy program monitored for 20 years by a third party. The commission alleges in its complaint that not only were the “snaps”, or messages, sent by users not strictly ephemeral, as it had promised, but that the Find Friends feature of the app wasn’t secured properly, leading to users sending snaps to strangers who registered with the wrong phone numbers.

“If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises,” FTC Chairwoman Edith Ramirez said in a statement. “Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.”

In January, Snapchat acknowledged a massive data breach in which attackers were able to compromise 4.6 million usernames, passwords and phone numbers belonging to the app’s users. The Snapchat data breach drew the interest of the FTC, which began investigating the company’s practices and claims about its service. The app is designed to send photo and video messages between users, and the company claimed that the messages were ephemeral and disappeared soon after being sent. However, the FTC alleges that wasn’t strictly true and that there were several methods users could employ to retrieve them later.

“Consumers can, for example, use third-party apps to log into the Snapchat service, according to the complaint. Because the service’s deletion feature only functions in the official Snapchat app, recipients can use these widely available third-party apps to view and save snaps indefinitely. Indeed, such third-party apps have been downloaded millions of times. Despite a security researcher warning the company about this possibility, the complaint alleges, Snapchat continued to misrepresent that the sender controls how long a recipient can view a snap,” the FTC press release says.

The commission also said that video snaps were stored in unencrypted storage areas outside the app’s sandbox

The commission also said that video snaps were stored in unencrypted storage areas outside the app’s sandbox and collected iOS users’ contact information from their address books without notice or consent.

“Snapchat’s privacy policy claimed that the app only collected the user’s email, phone number, and Facebook ID for the purpose of finding friends. Despite these representations, when iOS users entered their phone number to find friends, Snapchat also collected the names and phone numbers of all the contacts in their mobile device address books,” the FTC release says.

Snapchat officials said that the company had amended the wording of its privacy policy and in-app notifications to be clearer.

“While we were focused on building, some things didn’t get the attention they could have. One of those was being more precise with how we communicated with the Snapchat community,” the company said.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.